STUXNet

[MKSheppard]

Link

How Stuxnet is Scaring the Tech World Half to Death

A complex computer virus and its imminent threat.

BY Jonathan V. Last
September 30, 2010 2:30 PM

The computer worm Stuxnet broke out of the tech underworld and into the mass media this week. It’s an amazing story: Stuxnet has infected roughly 45,000 computers. Sixty percent of these machines happen to be in Iran. Which is odd. What is odder still is that Stuxnet is designed specifically to attack a computer system using software from Siemens which controls industrial facilities such as factories, oil refineries, and oh, by the way, nuclear power plants. As you might imagine, Stuxnet raises big, interesting geo-strategic questions. Did a state design it as an attack on the Iranian nuclear program? Was it a private group of vigilantes? Some combination of the two? Or something else altogether?

But it’s worth pausing to contemplate Stuxnet on its own terms, and understand why the tech nerds were so doomsday-ish about it in the first place. We should start at the beginning.

A computer worm is distinct from a virus. A virus is a piece of code which attaches itself to other programs. A worm is a program by itself, which exists on its own within a computer. A good (meaning really bad) worm must do several things quite subtly: It must find its way onto the first machine by stealth. While a resident, it must remain concealed. Then it must have another stealthy method of propagating to other computers. And finally, it must have a purpose. Stuxnet achieved all of these goals with astounding elegance.

The Stuxnet worm was first discovered on June 17, 2010 by VirusBlokAda, a digital security company in Minsk. Over the next few weeks, tech security firms began trying to understand the program, but the overall response was slow because Stuxnet was so sophisticated. On July 14, Siemens was notified of the danger Stuxnet posed to its systems. At the time, it was believed that Stuxnet exploited a “zero day” vulnerability (that is, a weak point in the code never foreseen by the original programmers) in Microsoft’s Windows OS. Microsoft moved within days to issue a patch.

By August, the details of Stuxnet were becoming clearer. Researchers learned troubling news: The virus sought to over-ride supervisory control and data acquisition (SCADA) systems in Siemens installations. SCADA systems are not bits of virtual ether—they control all sorts of important industrial functions. As the Christian Science Monitor notes, a SCADA system could, for instance, override the maximum safety setting for RPMs on a turbine. Cyber security giant Symantec warned:

Stuxnet can potentially control or alter how [an industrial] system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized’” to function properly and only some time after installation instruct the host system to increase the pipeline’s pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.

As the days ticked by, Microsoft realized that Stuxnet was using not just one zero-day exploit but four of them. Symantec’s Liam O’Murchu told Computer World, “Using four zero-days, that’s really, really crazy. We’ve never seen that before.”

Still, no one knew where Stuxnet had come from. A version of the worm from June 2009 was discovered and when the worm’s encryption was finally broken, a digital time stamp on one of the components (the ~wtr4141.tmp file, in case you’re keeping score at home) put the time of compilation—the worm’s birthday—as February 3, 2009.

The functionality of Stuxnet is particularly interesting. The worm gains initial access to a system through a simple USB drive. When an infected USB drive is plugged into a machine, the computer does a number of things automatically. One of them is that it pulls up icons to be displayed on your screen to represent the data on the drive. Stuxnet exploited this routine to pull the worm onto the computer. The problem, then, is that once on the machine, the worm becomes visible to security protocols, which constantly query files looking for malware. To disguise itself, Stuxnet installs what’s called a “rootkit”—essentially a piece of software which intercepts the security queries and sends back false “safe” messages, indicating that the worm is innocuous.

The trick is that installing a rootkit requires using drivers, which Windows machines are well-trained to be suspicious of. Windows requests that all drivers provide verification that they’re on the up-and-up through presentation of a secure digital signature. These digital keys are closely-guarded secrets. Yet Stuxnet’s malicious drivers were able to present genuine signatures from two genuine computer companies, Realtek Semiconductor and JMichron Technologies. Both firms have offices in the same facility, Hsinchu Science Park, in Taiwan. No one knows how the Stuxnet creators got hold of these keys, but it seems possible that they were physically—as opposed to digitally—stolen.

So the security keys enable the drivers, which allow the installation of the rootkit, which hides the worm that was delivered by the corrupt USB drive. Stuxnet’s next job was to propagate itself efficiently, but quietly. Whenever another USB drive was inserted into an infected computer, it becomes infected, too. But in order to reduce visibility and avoid detection, the Stuxnet creators set up a system so that each infected USB drive could only pass the worm on to three other computers.

Stuxnet was not designed to spread over the Internet at large. (We think.) It was, however, able to spread over local networks—primarily by using the print spooler that runs printers shared by a group of computers. And once it reached a computer with access to the Internet it began communicating with a command-and-control server—the Stuxnet mothership. The C&C servers were located in Denmark and Malaysia and were taken off-line after they were discovered. But while they were operational, Stuxnet would contact them to deliver information it had gathered about the system it had invaded and to request updated versions of itself. You see, the worm’s programmers had also devised a peer-to-peer sharing system by which a Stuxnet machine in contact with C&C would download newer versions of itself and then use it to update the older worms on the network.

And then there’s the actual payload. Once a resident of a Windows machine, Stuxnet sought out systems running the WinCC and PCS 7 SCADA programs. It then began reprogramming the programmable logic control (PLC) software and making changes in a piece of code called Operational Block 35. It’s this last bit—the vulnerability of PLC—which is at the heart of the concern about Stuxnet. A normal worm has Internet consequences. It might eat up bandwidth or slow computers down or destroy code or even cost people money. But PLC protocols interact with real-world machinery – for instance, turn this cooling system on when a temperature reaches a certain point, shut that electrical system off if the load exceeds a given level, and so on.

To date, no one knows exactly what Stuxnet was doing in the Siemens PLC. “It’s looking for specific things in specific places in these PLC devices,” Digital Bond CEO Dale Peterson told PC World. “And that would really mean that it’s designed to look for a specific plant.” Tofino Security Chief Technology Officer Eric Byres was even more ominous, saying, “The only thing I can say is that it is something designed to go bang.” Even the worm’s code suggests calamity. Ralph Langner is the most prominent Stuxnet sleuth and he notes that one of the last bits of code in the worm is the line “DEADF007.” (Presumably a dark joke about “deadf*ckers” and the James Bond call-sign “007.") “After the original code is no longer executed, we can expect that something will blow up soon,” Langner says somewhat dramatically. “Something big.”

The most important question is what that “something big” might be.

But there is another intriguing question: How did Stuxnet spread as far as it did? The worm is, as a physical piece of code, very large. It’s written in multiple languages and weighs in at nearly half a megabyte, which is one of the reasons there are still many pieces of it that we don’t understand. And one of those puzzles is how Stuxnet found its way onto so many computers so far away from one another. Iran is the epicenter, but Stuxnet is found in heavy concentrations in Pakistan, Indonesia, and India, too, and even as far away as Russia, Uzbekistan, and Azerbaijan. By the standards of modern worms, the 45,000 computers infected by Stuxnet is piddling. But if Stuxnet really can only propagate via local networks and USB drives, how did it reach even that far?

Stuxnet is already the most studied piece of malware ever, absorbing the attention of engineers and programmers across the globe, from private companies to academics, to government specialists. And yet despite this intense scrutiny, the worm still holds many secrets.

----------------------------

STUXNET under the microscope -- White paper by ESET

[Starglider]

This is the first widely reported case of a computer virus engineered and deployed by a nation state, to act as a direct weapon of sabotage. Computer software has long since been used to carry out sabotage as an extension of conventional counter-espionage (the pipeline incident alluded to above), and various nations use viruses and rootkits for surveillience/espionage (with the capability to attack physical infrastructure rumored). Still, this is a historical landmark and will no doubt be used by numerous 'cyberwarfare' units to justify budget increases. Oh and it's a nice little reminder that we're in the 21st century now, a lot of that sci-fi cyberpunk stuff is starting to become reality...

[Zaune]

This is so many kinds of crazy I don't even know where to start. No way is this government-sponsored; even if you ignore the potential for collateral damage, this kind of stunt gives Iran the moral high-ground and pisses off everyone who still thinks international law should mean something. Obama's not that stupid, the Israelis aren't that suicidally overconfident and nobody else has a believable motive.

[RedImperator]

This is so many kinds of crazy I don't even know where to start. No way is this government-sponsored; even if you ignore the potential for collateral damage, this kind of stunt gives Iran the moral high-ground and pisses off everyone who still thinks international law should mean something. Obama's not that stupid, the Israelis aren't that suicidally overconfident and nobody else has a believable motive.

It's not an international incident unless you can prove who did it.

[Stark]

This is the first widely reported case of a computer virus engineered and deployed by a nation state, to act as a direct weapon of sabotage. Computer software has long since been used to carry out sabotage as an extension of conventional counter-espionage (the pipeline incident alluded to above), and various nations use viruses and rootkits for surveillience/espionage (with the capability to attack physical infrastructure rumored). Still, this is a historical landmark and will no doubt be used by numerous 'cyberwarfare' units to justify budget increases. Oh and it's a nice little reminder that we're in the 21st century now, a lot of that sci-fi cyberpunk stuff is starting to become reality...

I'll give a shit when the refined superior version is detected. It's an interesting test case but it can only affect sensitive sites due to laziness. When its more efficient and has a better, more reliable vector it'll be proper dangerous.

[Skgoa]

Can't edit anymore. Please delete the other post.


Acording to rumors coming out of the data security industry(I hope thats the right english term ), the payload looks like it might be targeted at the iranian uranium enrichment program and there were indeed unexplained delays in the relevant timeframe. Enrichment is a highly complicated process that requires very precise meassurement and control. If they programed it to do the process slightly wrong, while showing the right values on the control screens an log files, it would be impossible for the engineers to find the error.

This is so many kinds of crazy I don't even know where to start. No way is this government-sponsored; even if you ignore the potential for collateral damage, this kind of stunt gives Iran the moral high-ground and pisses off everyone who still thinks international law should mean something. Obama's not that stupid, the Israelis aren't that suicidally overconfident and nobody else has a believable motive.

You have no idea you are talking about.
Who, if not Israel or the US, is going to spend the millions of dollars this has WITHOUT DOUBT cost on a single attack? Who has the capability to get agents into the target facility to get the exact makeup of their system? Who has the capability to get a USB drive inserted into one of the computers at the facility? And who has a motive to target the iranian nuclear industry?

[Julhelm]

It does look as if the worm has been spread by USB memory sticks used by the russian contractor who built the Busheir site, since the rest of the infected computers are all in other countries where this same firm has had contracts. My guess is the russians.

[Zaune]

It's not an international incident unless you can prove who did it.

If Iran can't find proof then they'll fabricate it. People will believe it because they want to believe it.

Who, if not Israel or the US, is going to spend the millions of dollars this has WITHOUT DOUBT cost on a single attack? Who has the capability to get agents into the target facility to get the exact makeup of their system? Who has the capability to get a USB drive inserted into one of the computers at the facility? And who has a motive to target the iranian nuclear industry?

I grant you this is more sophisticated than I'd expect from a loose coalition of basement-dwellers trying to make their dicks look bigger, but millions of dollars and a sophisticated black op? I'm not so sure. The system it's targeting is likely pretty off-the-shelf, the security keys could have been stolen by a disgruntled employee looking to make a fast buck, and how hard would it be to target one Iranian scientist's home PC with a Trojan? We don't even have any actual proof that it's specifically targeting their nuclear program; it's possible, if not especially likely, that this is an attempt to cripple their oil production instead.
And you never addressed my central point. Who has a credible motive for risking another Middle Eastern war?

[Skgoa]

As I said, you have no idea what you are talking about. Now, I don't like argumentum ad autoritam, but I get my information from actual experts working in the actual industry and am more or less a hacker myself, so please just accept the following: your post shows that you don't have the most basic idea how stuxnet even works, much less what it takes to engineer it.

And to once more adress the motive: the number of entities who even had just the ability to have done it is very VERY low. It comes down to USA, Israel, Russia, China and a couple of not very likely european countries. Of those, Russia themselves might not have needed to use as many zero-day exploits (since they are the ones who are building all those facilities in the first place) and China doesn't care as much about Iran's nuclear program as the other major powers.
This leaves the US and Israel, two countries that both have cyberwarfare units and who are very much against Iran obtaining nukes.

It does look as if the worm has been spread by USB memory sticks used by the russian contractor who built the Busheir site, since the rest of the infected computers are all in other countries where this same firm has had contracts. My guess is the russians.

Or maybe one of the employees is a spy?

[Lagmonster]

While I appreciate that this is computer-related, the inevitable discussion about world cyberwarfare politics leads me to want to punt this to another forum.

[Zaune]

Now, I don't like argumentum ad autoritam, but I get my information from actual experts working in the actual industry and am more or less a hacker myself, so please just accept the following: your post shows that you don't have the most basic idea how stuxnet even works, much less what it takes to engineer it.

Then by all means use your vastly superior knowledge to enlighten this mere A+ Certified technician who has never felt the need to dick around with someone else's computer for a laugh and does not move in the same circles as these 'actual experts working in the actual industry' of which you speak.
Or in other words, if you're going to accuse me of not knowing what I'm talking about then you'd better have some compelling evidence that you do.

And to once more address the motive: the number of entities who even had just the ability to have done it is very VERY low. It comes down to USA, Israel, Russia, China and a couple of not very likely european countries. Of those, Russia themselves might not have needed to use as many zero-day exploits (since they are the ones who are building all those facilities in the first place) and China doesn't care as much about Iran's nuclear program as the other major powers.
This leaves the US and Israel, two countries that both have cyberwarfare units and who are very much against Iran obtaining nukes.

They don't need nuclear weapons to forcibly annexe Iraq in retaliation and undo everything the US damn near bankrupted itself to achieve there, or to make one hell of a mess of Israel. Hell, they could make life in the States pretty awkward just by witholding their oil exports.

[TithonusSyndrome]

Acording to rumors coming out of the data security industry(I hope thats the right english term ), the payload looks like it might be targeted at the iranian uranium enrichment program and there were indeed unexplained delays in the relevant timeframe. Enrichment is a highly complicated process that requires very precise meassurement and control. If they programed it to do the process slightly wrong, while showing the right values on the control screens an log files, it would be impossible for the engineers to find the error.

Yeah, no shit. I know that in CANDUs, it's the delay neutrons that are responsible for the better part of the fission, not the immediate neutrons, and probably so in other reactors too. If the reactor is in normal mode, then this would mask any real discrepancy in the setpoint until it's too late.

[RedImperator]

It's not an international incident unless you can prove who did it.

If Iran can't find proof then they'll fabricate it. People will believe it because they want to believe it.

How would you "fabricate" proof like that? Independent organizations have access to the worm and can confirm or refute any Iranian claims about the code. What else are they going to do? Grab some random American tourist and force him to confess he wrote it?

[Marcus Aurelius]

And to once more adress the motive: the number of entities who even had just the ability to have done it is very VERY low. It comes down to USA, Israel, Russia, China and a couple of not very likely european countries.

Besides, China has long-term oil supply contracts with Iran and would not piss them off over a matter that is, like you said, less important to them than any other major power. However, why is everybody forgetting the Saudis? The hate the Iranians due to religious and historical reasons (Iranians are mostly ethnic Persians, which should tell you something) and they certainly have enough money to hire a small city worth of hackers, if they want to. There is even historical precedent: in case you didn't know, the KSA was a major financier of Saddam's war against Iran. In addition, most of the recent arms acquisitions of the KSA were actually done more in order to counter the threat of Iran rather than Israel.

[The Kernel]

Besides, China has long-term oil supply contracts with Iran and would not piss them off over a matter that is, like you said, less important to them than any other major power. However, why is everybody forgetting the Saudis? The hate the Iranians due to religious and historical reasons (Iranians are mostly ethnic Persians, which should tell you something) and they certainly have enough money to hire a small city worth of hackers, if they want to. There is even historical precedent: in case you didn't know, the KSA was a major financier of Saddam's war against Iran. In addition, most of the recent arms acquisitions of the KSA were actually done more in order to counter the threat of Iran than Israel.

I doubt very much the Saudis have the brain trust to pull a thing like this off. They aren't exactly know as being on the cutting edge of computer science.

[Marcus Aurelius]

I doubt very much the Saudis have the brain trust to pull a thing like this off. They aren't exactly know as being on the cutting edge of computer science.

True, but like I wrote, they do have shitloads of money. The only reason why they don't have even better toys for their military forces is that nobody will sell them any better stuff. There are a lot of hacker groups and individual hackers in Russia and other places who probably do not have such scruples.

[RedImperator]

I doubt very much the Saudis have the brain trust to pull a thing like this off. They aren't exactly know as being on the cutting edge of computer science.

True, but like I wrote, they do have shitloads of money. The only reason why they don't have even better toys for their military forces is that nobody will sell them any better stuff. There are a lot of hacker groups and individual hackers in Russia and other places who probably do not have such scruples.

I'm rapidly approaching the "talk out of my ass" threshold here, but this isn't the kind of thing some basement hackers could have cobbled together. Getting access to the drivers is by itself a pretty serious piece of industrial espionage; does the kingdom's intelligence service have the ability to pull something like that?

I really can't wait to read the book about this thirty years from now.

[MKSheppard]

Getting access to the drivers is by itself a pretty serious piece of industrial espionage

You mean the digital signatures for two semiconductor companies to sign the drivers to make them appear authentic?

[RedImperator]

Getting access to the drivers is by itself a pretty serious piece of industrial espionage

You mean the digital signatures for two semiconductor companies to sign the drivers to make them appear authentic?

Yeah. That's not the kind of thing you find floating around on FilePlanet.

[Marcus Aurelius]

Getting access to the drivers is by itself a pretty serious piece of industrial espionage

You mean the digital signatures for two semiconductor companies to sign the drivers to make them appear authentic?

Yeah. That's not the kind of thing you find floating around on FilePlanet.

You are of course right, but you seem to forget that quite a few Cold War spies were motivated simply by money. If a person was willing to betray his or her country for money, wouldn't you think that it would be much easier to find such persons working in relevant companies or in close association with them?

[CJvR]

There are three players with serious intrests in screwing the Iranian A-bomb program.

The US, Israel and the Saudis. I think it could well be a multi national operation. The CIA and the Mossad got the contacts and assets for the cloak and dagger elements as well as the technologial experts and with Saudi money they eliminate the money trail.

It is rather intresting that Pakistan is hit that bad, perhaps they are still aiding the Iranian bomb program, not very nice of them...

[RedImperator]

You are of course right, but you seem to forget that quite a few Cold War spies were motivated simply by money. If a person was willing to betray his or her country for money, wouldn't you think that it would be much easier to find such persons working in relevant companies or in close association with them?

I have no doubt that money was involved, but if you don't have a solid intelligence program already in place, what are you going to do, start dialing the company directory at random? Any operation like this requires having assets in place ahead of time that you can tap; even if it's just a guy who knows a guy.

[Chaotic Neutral]

I only have one response to this: OH SHIT! This is the beginning of a long period of computer wars.

[MKSheppard]

Actually, it appears that both companies whose digital signatures were stolen, resided in the same building. So all you had to do was send someone in to physically raid the offices after hours.

[Stark]

Thanks Shep, but the article already said that. It's not, however, the first thing someone breaking in would think to steal (even if they knew where it was).

Also lol at people constantly describing a nuclear program as an 'A-bomb program'.